dcrat | 6a605bb663231bbe8a2e263568ea41e125a18350250bc75fbb9a43c4fae81700

Analysis

max time kernel
149s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 10:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_6a605bb663231bbe8a2e263568ea41e125a18350250bc75fbb9a43c4fae81700.exe
Size

1.3MB
MD5

77ffda5ff2e563a64c2f7d2840620c8d
SHA1

246d003969350060bce81fd983d04e98efcb3d2a
SHA256

6a605bb663231bbe8a2e263568ea41e125a18350250bc75fbb9a43c4fae81700
SHA512

772a903833ed988e313f4d982d012136317f2135538dc5f4f82a0ee292699290201d74c530cd33e4f8e07c55e2f988a9da22b03516b36896443077fc3bdc42bf
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	656	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2764	schtasks.exe	34

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001748f-9.dat	dcrat
behavioral1/memory/2724-13-0x0000000001030000-0x0000000001140000-memory.dmp	dcrat
behavioral1/memory/572-108-0x0000000000DC0000-0x0000000000ED0000-memory.dmp	dcrat
behavioral1/memory/1512-226-0x0000000000EF0000-0x0000000001000000-memory.dmp	dcrat
behavioral1/memory/2200-522-0x0000000001270000-0x0000000001380000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1356	powershell.exe
1792	powershell.exe
956	powershell.exe
1404	powershell.exe
612	powershell.exe
1208	powershell.exe
1560	powershell.exe
1304	powershell.exe
2992	powershell.exe
1876	powershell.exe
1164	powershell.exe
2188	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2724	DllCommonsvc.exe
572	conhost.exe
1536	conhost.exe
1512	conhost.exe
3060	conhost.exe
2232	conhost.exe
2680	conhost.exe
2664	conhost.exe
2200	conhost.exe
3040	conhost.exe
1304	conhost.exe
2208	conhost.exe

Loads dropped DLL 2 IoCs

pid	Process
3008	cmd.exe
3008	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
22	raw.githubusercontent.com
25	raw.githubusercontent.com
32	raw.githubusercontent.com
4	raw.githubusercontent.com
12	raw.githubusercontent.com
15	raw.githubusercontent.com
29	raw.githubusercontent.com
36	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
18	raw.githubusercontent.com

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\conhost.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\088424020bedd6	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Migration\WTR\services.exe	DllCommonsvc.exe
File created	C:\Windows\Migration\WTR\c5b4cb5e9653cc	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6a605bb663231bbe8a2e263568ea41e125a18350250bc75fbb9a43c4fae81700.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1264	schtasks.exe
2376	schtasks.exe
2836	schtasks.exe
2328	schtasks.exe
2612	schtasks.exe
2704	schtasks.exe
2976	schtasks.exe
2236	schtasks.exe
2644	schtasks.exe
2124	schtasks.exe
2792	schtasks.exe
2016	schtasks.exe
2020	schtasks.exe
1772	schtasks.exe
2108	schtasks.exe
692	schtasks.exe
1936	schtasks.exe
2808	schtasks.exe
2028	schtasks.exe
2804	schtasks.exe
2852	schtasks.exe
2528	schtasks.exe
2252	schtasks.exe
2732	schtasks.exe
1728	schtasks.exe
1392	schtasks.exe
752	schtasks.exe
2820	schtasks.exe
528	schtasks.exe
656	schtasks.exe
1352	schtasks.exe
2092	schtasks.exe
2844	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2724	DllCommonsvc.exe
1560	powershell.exe
2188	powershell.exe
1208	powershell.exe
1792	powershell.exe
2992	powershell.exe
612	powershell.exe
956	powershell.exe
1404	powershell.exe
1304	powershell.exe
1164	powershell.exe
1876	powershell.exe
1356	powershell.exe
572	conhost.exe
1536	conhost.exe
1512	conhost.exe
3060	conhost.exe
2232	conhost.exe
2680	conhost.exe
2664	conhost.exe
2200	conhost.exe
3040	conhost.exe
1304	conhost.exe
2208	conhost.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2724	DllCommonsvc.exe
Token: SeDebugPrivilege	1560	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	1208	powershell.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	612	powershell.exe
Token: SeDebugPrivilege	956	powershell.exe
Token: SeDebugPrivilege	1404	powershell.exe
Token: SeDebugPrivilege	1304	powershell.exe
Token: SeDebugPrivilege	1164	powershell.exe
Token: SeDebugPrivilege	1876	powershell.exe
Token: SeDebugPrivilege	1356	powershell.exe
Token: SeDebugPrivilege	572	conhost.exe
Token: SeDebugPrivilege	1536	conhost.exe
Token: SeDebugPrivilege	1512	conhost.exe
Token: SeDebugPrivilege	3060	conhost.exe
Token: SeDebugPrivilege	2232	conhost.exe
Token: SeDebugPrivilege	2680	conhost.exe
Token: SeDebugPrivilege	2664	conhost.exe
Token: SeDebugPrivilege	2200	conhost.exe
Token: SeDebugPrivilege	3040	conhost.exe
Token: SeDebugPrivilege	1304	conhost.exe
Token: SeDebugPrivilege	2208	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 316	3052	JaffaCakes118_6a605bb663231bbe8a2e263568ea41e125a18350250bc75fbb9a43c4fae81700.exe	30
PID 3052 wrote to memory of 316	3052	JaffaCakes118_6a605bb663231bbe8a2e263568ea41e125a18350250bc75fbb9a43c4fae81700.exe	30
PID 3052 wrote to memory of 316	3052	JaffaCakes118_6a605bb663231bbe8a2e263568ea41e125a18350250bc75fbb9a43c4fae81700.exe	30
PID 3052 wrote to memory of 316	3052	JaffaCakes118_6a605bb663231bbe8a2e263568ea41e125a18350250bc75fbb9a43c4fae81700.exe	30
PID 316 wrote to memory of 3008	316	WScript.exe	31
PID 316 wrote to memory of 3008	316	WScript.exe	31
PID 316 wrote to memory of 3008	316	WScript.exe	31
PID 316 wrote to memory of 3008	316	WScript.exe	31
PID 3008 wrote to memory of 2724	3008	cmd.exe	33
PID 3008 wrote to memory of 2724	3008	cmd.exe	33
PID 3008 wrote to memory of 2724	3008	cmd.exe	33
PID 3008 wrote to memory of 2724	3008	cmd.exe	33
PID 2724 wrote to memory of 1304	2724	DllCommonsvc.exe	68
PID 2724 wrote to memory of 1304	2724	DllCommonsvc.exe	68
PID 2724 wrote to memory of 1304	2724	DllCommonsvc.exe	68
PID 2724 wrote to memory of 956	2724	DllCommonsvc.exe	69
PID 2724 wrote to memory of 956	2724	DllCommonsvc.exe	69
PID 2724 wrote to memory of 956	2724	DllCommonsvc.exe	69
PID 2724 wrote to memory of 1404	2724	DllCommonsvc.exe	70
PID 2724 wrote to memory of 1404	2724	DllCommonsvc.exe	70
PID 2724 wrote to memory of 1404	2724	DllCommonsvc.exe	70
PID 2724 wrote to memory of 2992	2724	DllCommonsvc.exe	71
PID 2724 wrote to memory of 2992	2724	DllCommonsvc.exe	71
PID 2724 wrote to memory of 2992	2724	DllCommonsvc.exe	71
PID 2724 wrote to memory of 1876	2724	DllCommonsvc.exe	72
PID 2724 wrote to memory of 1876	2724	DllCommonsvc.exe	72
PID 2724 wrote to memory of 1876	2724	DllCommonsvc.exe	72
PID 2724 wrote to memory of 612	2724	DllCommonsvc.exe	73
PID 2724 wrote to memory of 612	2724	DllCommonsvc.exe	73
PID 2724 wrote to memory of 612	2724	DllCommonsvc.exe	73
PID 2724 wrote to memory of 1164	2724	DllCommonsvc.exe	74
PID 2724 wrote to memory of 1164	2724	DllCommonsvc.exe	74
PID 2724 wrote to memory of 1164	2724	DllCommonsvc.exe	74
PID 2724 wrote to memory of 2188	2724	DllCommonsvc.exe	75
PID 2724 wrote to memory of 2188	2724	DllCommonsvc.exe	75
PID 2724 wrote to memory of 2188	2724	DllCommonsvc.exe	75
PID 2724 wrote to memory of 1208	2724	DllCommonsvc.exe	76
PID 2724 wrote to memory of 1208	2724	DllCommonsvc.exe	76
PID 2724 wrote to memory of 1208	2724	DllCommonsvc.exe	76
PID 2724 wrote to memory of 1560	2724	DllCommonsvc.exe	77
PID 2724 wrote to memory of 1560	2724	DllCommonsvc.exe	77
PID 2724 wrote to memory of 1560	2724	DllCommonsvc.exe	77
PID 2724 wrote to memory of 1356	2724	DllCommonsvc.exe	78
PID 2724 wrote to memory of 1356	2724	DllCommonsvc.exe	78
PID 2724 wrote to memory of 1356	2724	DllCommonsvc.exe	78
PID 2724 wrote to memory of 1792	2724	DllCommonsvc.exe	79
PID 2724 wrote to memory of 1792	2724	DllCommonsvc.exe	79
PID 2724 wrote to memory of 1792	2724	DllCommonsvc.exe	79
PID 2724 wrote to memory of 2224	2724	DllCommonsvc.exe	86
PID 2724 wrote to memory of 2224	2724	DllCommonsvc.exe	86
PID 2724 wrote to memory of 2224	2724	DllCommonsvc.exe	86
PID 2224 wrote to memory of 2376	2224	cmd.exe	94
PID 2224 wrote to memory of 2376	2224	cmd.exe	94
PID 2224 wrote to memory of 2376	2224	cmd.exe	94
PID 2224 wrote to memory of 572	2224	cmd.exe	95
PID 2224 wrote to memory of 572	2224	cmd.exe	95
PID 2224 wrote to memory of 572	2224	cmd.exe	95
PID 572 wrote to memory of 316	572	conhost.exe	97
PID 572 wrote to memory of 316	572	conhost.exe	97
PID 572 wrote to memory of 316	572	conhost.exe	97
PID 316 wrote to memory of 3020	316	cmd.exe	99
PID 316 wrote to memory of 3020	316	cmd.exe	99
PID 316 wrote to memory of 3020	316	cmd.exe	99
PID 316 wrote to memory of 1536	316	cmd.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a605bb663231bbe8a2e263568ea41e125a18350250bc75fbb9a43c4fae81700.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a605bb663231bbe8a2e263568ea41e125a18350250bc75fbb9a43c4fae81700.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:316
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3008
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2724
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1304
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:956
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Local Settings\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1404
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1876
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:612
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1164
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1208
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1560
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\My Documents\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1356
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1792
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UNPCLYSWDi.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2224
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2376
      - C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\conhost.exe
        
        "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\conhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\57xCWyooww.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:316
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:3020
        
        C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\conhost.exe
        
        "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\conhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\da4noHdFs8.bat"
        9⤵
        
        PID:2152
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2632
        
        C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\conhost.exe
        
        "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\conhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1512
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BAWHCtE00Z.bat"
        11⤵
        
        PID:2084
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1544
        
        C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\conhost.exe
        
        "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\conhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pFKIY4EPZg.bat"
        13⤵
        
        PID:2668
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2844
        
        C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\conhost.exe
        
        "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\conhost.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wYroxckjTC.bat"
        15⤵
        
        PID:1340
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:3008
        
        C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\conhost.exe
        
        "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\conhost.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a1rZrAbBst.bat"
        17⤵
        
        PID:2204
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2420
        
        C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\conhost.exe
        
        "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\conhost.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uZApDsIgYI.bat"
        19⤵
        
        PID:2784
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1876
        
        C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\conhost.exe
        
        "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\conhost.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\H7kUlUtrsw.bat"
        21⤵
        
        PID:2288
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2648
        
        C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\conhost.exe
        
        "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\conhost.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sWmtPUST1G.bat"
        23⤵
        
        PID:1104
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2356
        
        C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\conhost.exe
        
        "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\conhost.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1304
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jaxwQXfGLd.bat"
        25⤵
        
        PID:1120
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2672
        
        C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\conhost.exe
        
        "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\conhost.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Local Settings\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Local Settings\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\providercommon\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Windows\Migration\WTR\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Windows\Migration\WTR\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\providercommon\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\My Documents\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\My Documents\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
29cfd9098de8498fbe4c976573b1ed27

SHA1
a72f9665c37ec1d0e1c7fd5cd3a7388520cd868b

SHA256
cef9681cdd417a095ae6946c46a456fadc43352f99d29870ea62d539ac1f040c

SHA512
dd4a6a6c881c578948dd2e625cd300f721b107c7652fd3310554b7858fd72bd0e2898405c595b8df48118fccab4defa041b8ad23c78ce86c97c2a2a8f1d586e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
438e38eabb2d3153fc4e17533de7ecaf

SHA1
7e2794b763bb7bf323c20ed281e218eb4bd6cc27

SHA256
217c7c202774e75aa168f3df1dfba49e31c0d0c05ed63ab79bcc5b77fb21fcdc

SHA512
d212afee78fe21cf2c73a0a836c0a8a19bf58d903d0edc02dfa5255d14839868fdab523acaf42c7491776743dafbc9c873d16a1fb36676d3f15689752369d853

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c02f0c0ba1c5ced4a34cacd836d601b9

SHA1
d68f63f91e8cd23e63ee4d2cc1c0dacfe7bbbc8c

SHA256
8e59ec3b58a8507e1c543cf84d797e1fa45c65e24f04e994c15d5135cfe82418

SHA512
0abef330b79e2a903bc9743ee83dc6f20f855b61ff59a61c6e4b01ccca61df8705217725e73b8b233bcb341989792251f0b39b1b40527d2b4cf978c2815bf98c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dbcb67305d01f56c6395652bcd3dad66

SHA1
3f7395ec6e00f533f7ad3ae0f03b894418e4fb4a

SHA256
aefb3cc67c389f891774dcb9230a1dae955ce067af58bc9981e153897d251668

SHA512
52a2f0662dd6580a49434f9f0845c3f97ed3cd6388f03413550bb0c761848d7d0e8d50737149a08e70b17d62719aa932d2f68ac39880f7cdcaefafaf272770ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ce9a064e99ec258148d5f1e127eed7a3

SHA1
23095eb10e26cc135c54368ab2c4d45e8428b9fc

SHA256
21d8db1b4097349618c0e17c67b6d1fb563b21d8f3a811c39914e3ab7b55e687

SHA512
d9653eb0211a94acd316b409a1eb36b40bf80b4d3dd69e9cad1aa903b89660bb862cb5e7fafcb5575eb163f010672d72a076e5aa94d428d8656a99423ff5ac00

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ff882318eed1d4de272ba52a9ba8078

SHA1
fdad6df0f19108e8fad8a86af2731e226172dccb

SHA256
715965c58ae12dd41850a6a04cf0ce98d6da1d325f7b91d66ca0d9152719d419

SHA512
4785fa0b799f870bdcb8b21f66baf64864bdb6ef7e3fb7dfc5adce93e62df5501820f82b5f5842b5e44e865a11fb79fa37f0a9fba29a9664d4e2c76fffd10afd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7e81640ef941c7c27e22c3432a814526

SHA1
14fb319c5ee76262244a9e2f1b9bec0abe14cb36

SHA256
703550d7043af90875227c259ee66e189adcc315c9eec965ff1337963a56849d

SHA512
831e66847b7d914cb832d477de80b72d7d4a83ae4004ed74baef1ad9b25846eb950f6c54402303efaae082c7e851598996aadcb961733d9c881db6df1f74ca87

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d5105099bd0dfd426e7feff19b92798b

SHA1
f876d80233a5e219a125eb2bae7e825f6dfaef6c

SHA256
1ed6f4eb7365a310e1e6ac5c5452320ba3c77d5d29f5c57b8edbd63571c29c99

SHA512
f6a3fc88999f6cd2be062cefbd6d646eddaa897231c90abf53f86a5e6db3130fefcc0ce1be9578f6fa57404d0ce73ff5d928646fd77458e9c69736e88fd4fca2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b592da270012bcf0dbfa182286bc78ab

SHA1
34e5de26cbb8950942f08b7415e95c9dec64d544

SHA256
ed02457ce133b35c0d417d0d044241e73170ad020764b84a60de659d170d6738

SHA512
e21b9ae24e1257773d6322626516c793ee34e02a8795480885bff6368ab9eda3d4cc6667a7ebaafd693b9ec1a51144443203b2fda9c5fb60be1b333a078249a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\57xCWyooww.bat

Filesize
247B

MD5
ba094a4878450cc3621e1cbbdfa02421

SHA1
59aa0e00aa22bc52499539b066bee0af0a37d571

SHA256
c5f5daf72b61d856402466e94618bbdd3ad850033c5c0d4f1b66f82d675e7ed0

SHA512
aac68df66c1fb015aa468176777f21fd462294463f14eec43aa522593fa0838dbb9af8e20163fcfeb2b9e290403747e3cab2c4d61558bb50ae71aeab70c07778

Download Submit
C:\Users\Admin\AppData\Local\Temp\BAWHCtE00Z.bat

Filesize
247B

MD5
03c31427bf4ed9d8743a9eb160452aff

SHA1
9cd977285446c9d9771d690dce610d90804a599b

SHA256
3dae3a905b25921dd9753cd8dd7cc004deab0ae6dbed9413080d6cf4a043cbb1

SHA512
a96dcc6efca6806cec746fafef3927a130d4474cc7cbd5f6db49f6ea75ad910ce3504af07a7a2c8c231e10726c22cc28db5f76ac0e20e7d41e41f448870fef82

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD809.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\H7kUlUtrsw.bat

Filesize
247B

MD5
f63d042b8931b66285e6e9db30b5aac8

SHA1
62ba58e2ad284c0ad76c54a981f7cec962b6b65e

SHA256
2773f8cd5ac81e6079db33d42e9024832a4f17ae489f8728e5fff0c824ef45ad

SHA512
e20ad11806cd92497a8e414689d97d8288b55828e456f5b2c67670427d72f67942f361e79406b1511add71b66284cfe99a9153a300f0dc2d01d98c0e6249e023

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD82B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UNPCLYSWDi.bat

Filesize
247B

MD5
c48f1252501fc5ccd631d60d69ac8882

SHA1
ffa8c8920fba36d3966cc7cc23194669cdda7be5

SHA256
bb962fba31167fafe319124ffa0c24a4b9e46dcc6ed1654bb6c4e590186c993f

SHA512
d614d73bfde8a6f2deb57004936cb6c7ec7fd6161e51d14b634e5c8074635ca7b778519ff2b51eb5e55e1c8fa9ec51f10171007199b80a976ecb95ac86663ebc

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1rZrAbBst.bat

Filesize
247B

MD5
d7345ba7c62c95684e969342d598c760

SHA1
04f1fb0eb8d8df6aa883c7ed2610856ca78942b2

SHA256
b0950155ad3d68cfea3e3edb5d3b1ea494369fd0a0f71ad0f137a98d287edad4

SHA512
070e9a465afb5edc0c63ad90ec1a7a2b237552a4dd1e32b157e26b9057b1be82d7d5b231c39ffcd10d7e2309fe6ccf23179daf08fcc21b0807c518df2ea708b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\da4noHdFs8.bat

Filesize
247B

MD5
e9a242b02276f5b6be5dd718732726a2

SHA1
09f9d3ff905acd4863d7ab442ce077a21ef030ea

SHA256
334139ee5ddc5f00e626a8efd4243a6d0e5f4493347f495edf71645c5fbdd37e

SHA512
39d2c973542bcd4a4b3b9a7fe1242f291f1310e50890227590071a4d2c0deeb2e9c025a76e58807e016e01a5ab348f90053affd822d101480599b223bf139385

Download Submit
C:\Users\Admin\AppData\Local\Temp\jaxwQXfGLd.bat

Filesize
247B

MD5
e9b19e2418932d23a8ad2501eec80ea2

SHA1
9bffcb4f6aade555601fe28e4aa639d667adff23

SHA256
87bef4158edba6ab35f7f1a953a6936ec30a3a5048af49901e9d073c05feca3e

SHA512
a9f834a73dfe3cb8ce6bdbb8d79c7ca92ac3a13acd8cdc20374388bbe202c123d6354652c350f74d78bf7584545c76f0ccb3a5298bd6a5471093e416a2c8d032

Download Submit
C:\Users\Admin\AppData\Local\Temp\pFKIY4EPZg.bat

Filesize
247B

MD5
2a737c2c21c73c3bdfae2726aad9c45e

SHA1
d56396dcc42941ee88371c417e28b2dd339f689e

SHA256
f026563bcdfaac982364f0e7965e50e16ee7daebacad37246ec2862d5b5c08fe

SHA512
f41bc2b336f9016ab068d6cd17842cdf6249fa7179225b9f35a7a08341c2cc91d71b1ffc18f14d6add14ef9eeb73c8366472a6f7abacf8d3d6dc7e7b0c73c1e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\sWmtPUST1G.bat

Filesize
247B

MD5
ad26627d55a28f0da4a78a63aa73a021

SHA1
8655c6af15ce75279a8fa4817aef469b63fc1267

SHA256
7947ad670b38af7d43b066faaad44827653c28f5cd6e69067aaaa1aab3f8fc27

SHA512
92711ead04b8325a955beccd0a587e70e0857fa93eddfd675427e8b573d44e9fdd5e963598319ea00d70231d937dbc5746ab5bc1c80ff00763cef0cc46383668

Download Submit
C:\Users\Admin\AppData\Local\Temp\uZApDsIgYI.bat

Filesize
247B

MD5
fd95f82ba9ec6c373e907aea3a0c37d3

SHA1
92a0fe6535c910252913f7e054f5f94e05b41a2e

SHA256
bd5cf59074601a47460d4f73d1fafec2a2736180a476a4f44091f52dd9ace2e1

SHA512
de5c45424eacec50a9963aa391647673218cf8f8e9a3482f52ac236b76dde9280cc86b1566daf303947a7003e15ffa06f98b4449ab41770b65459f623173d4db

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYroxckjTC.bat

Filesize
247B

MD5
1efefe094d9bd4fa639f9374ac23ed06

SHA1
868c66acb89241d52aff0b818521117c60f8959b

SHA256
5a6dcb8345c225ff7e0a9d4e6bde90d716d92c9e0253ffd6e284942045bcf631

SHA512
86e102db063f3bb2cd0671996ab2ab393ec701fc5682199ee3918d37b58641cf15ff72bcbf37df5be68d08a65440578db94ca006c2aebe949c1ffadd462c9f95

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5f394de19ac2c1b0e82b91ca125a6a9b

SHA1
073173d591a3b4309c5161b2b755d5080f300691

SHA256
8eb98cc2de0606e8e88d0135b7a1a5c70c2e169822b7b88b749bf53a8693ad16

SHA512
d782afa76e19719282f3b3cb94381692ec741eae9e4470a37d21c14b1ae1ea37f662119ec8660288350bb606ce8a9c817f59d6dac844663a81679c1f723759a7

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/572-108-0x0000000000DC0000-0x0000000000ED0000-memory.dmp

Filesize
1.1MB

Download
memory/1512-226-0x0000000000EF0000-0x0000000001000000-memory.dmp

Filesize
1.1MB

Download
memory/1560-72-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/1560-73-0x0000000001FD0000-0x0000000001FD8000-memory.dmp

Filesize
32KB

Download
memory/2200-522-0x0000000001270000-0x0000000001380000-memory.dmp

Filesize
1.1MB

Download
memory/2724-17-0x0000000000200000-0x000000000020C000-memory.dmp

Filesize
48KB

Download
memory/2724-16-0x00000000001E0000-0x00000000001EC000-memory.dmp

Filesize
48KB

Download
memory/2724-15-0x00000000001F0000-0x00000000001FC000-memory.dmp

Filesize
48KB

Download
memory/2724-14-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/2724-13-0x0000000001030000-0x0000000001140000-memory.dmp

Filesize
1.1MB

Download